Data erasure is a topic hardly to be underestimated by companies when it comes to protecting proprietary or personal data of employees or customers from unauthorised access on behalf of third parties. Data, documents, records – everything that survives for a certain period and reaches the end of its useful life, must be securely erased at some time. But what kind of data erasure should be used with which storage medium? Are there any special factors that should be considered?
Why should data be erased?
Companies, no matter whether they are part of a large corporation or a smaller business, definitely need to use a professional data erasure method if they want to ensure that their data doesn’t fall into the wrong hands, like the Brighton and Sussex University Hospitals NHS Trust experienced in 2008.
Generally speaking, due to legal and internal regulations, data should be erased at the end of its so-called lifecycle. There are a number of existing national rules, regulations and laws that already require companies to comply with data protection measures, and thus also with data erasure. The provisions concerning data erasure will also become significantly tougher with the introduction of the European data protection regulation. The central element of this regulation, which is expected to come into force early next year, is certainly Article 17, which gives force of law to the “right to deletion” or the “right to be forgotten”.
To cut a long story short: Article 17 requires that all saved personal information that is no longer needed for its original purpose, for which no consent was given for its processing, or if its agreed retention period has expired, is to be securely erased. This requirement applies to all data collected, structured, transmitted and distributed concerning EU citizens, irrespective of the country or the storage system where the data is saved. For all companies, regardless of their size, this means that they should prepare intensively as of now and adapt all their processes to the new rules.
What is the right way to erase?
Method 1: Degaussing
There are some reliable and inexpensive ways to have data erased securely, and above all, irrevocably. If the data storage device is no longer to be used after erasure, there are two possible methods: either demagnetisation using a Degausser or mechanical destruction in a so-called shredder. Both solutions work well in case of defective equipment and when the hardware necessary to access the data no longer exists. However, those responsible have to understand clearly that afterwards the media become absolutely unusable.
How a Degausser works: 1. Push the medium in; 2. Press the button; 3. The data is erased…
What storage media can be “degaussed”?
Something many people may possibly not know: all storage devices based on magnetism can be securely erased using a degausser:
- 5 ¼, 3 ½ or 2 ½-inch hard disk drives
- Digital magnetic tapes of all popular formats: LTO, DLT, etc.
- 5 ¼ and 3 ½-inch floppy disks
However, a Degausser cannot erase storage devices based on FLASH NAND electronic chips. This is technically impossible to erase with a degausser. For storage devices such as USB flash drives, SSD hard drives or flash cards, the only possible method is erasure using data erasure software.
Method 2: Secure erasure using software
Another option, which is recommended especially for the increasingly widespread SSD hard drives, is erasure using software. In this case, a data medium is repeatedly overwritten in a random manner with ones and zeros so that not even professional data recovery specialists are able to do anything about it after erasure has been completed. The advantage of this is that the drives can still be used afterwards, because only the existing information is destroyed. In the case of an SSD hard drive, for example, this means that after using a data erasure software solution on it, it can be simply formatted again and put back into operation.
Using data erasure software with magnetic tapes: does it make any sense?
Currently, there is no special data erasure software available on the market specifically designed for tapes to be discarded, nor is it is actually necessary. Because tapes can be also processed using existing software solutions. Thus, the contents of tapes can be processed over tape storage systems in the same manner as data on a traditional hard drive or other storage devices which are registered as a logical drive by the operating system.
However, several questions arise in case of intending to use software for secure data erasure on magnetic tapes:
1. Does it make any sense to erase tapes in order to use them again at a later time?
Probably not. Old magnetic tapes become porous after a few years and are prone to tearing. The result is that they destroy the hardware, which often cannot be replaced.
2. Is the original magnetic tape storage system available?
To use the software, the appropriate (legacy) hardware to access the tapes must exist. Otherwise, they cannot be erased.
3. Is the effort of data erasure using software worthwhile in the case of tapes?
Data erasure takes time. Although modern tape storage systems are becoming increasingly faster, accessing the tapes and constantly writing ones and zeros, as these software solutions do, is a lengthy process.
4. Is the cost of data erasure using software justified in the case of tapes?
Most probably not! Even if it would mean the possibility of reusing the tapes (although this is something that shouldn’t be done) the cost of the work effort would probably be significantly higher than the cost of purchasing new tapes. And the risk of destruction of the hardware and the subsequent need of purchasing new one definitively speaks against the use of data erasure software in the case of tapes.
No matter what method of data erasure is finally used, it should always be part of a consistent process and take into account some basic points. A rule for the secure disposal of old devices should be put in place and – this is the actual core issue – also be respected. It should also be clearly specified who is responsible for the actual data erasure and who for checking it. Because from the perspective of compliance, these tasks should be the responsibility of different people. And finally, companies should never forget that data erasure is not a bothersome imposition but something crucial for the welfare of the company.